CIS Benchmarks Available to Purdue University EmployeesCreating security configuration guidelines for the many different ages and types of systems used on campus is a daunting and time-consuming task. ITaP Networks and Security is often asked to recommend a set of systems security configuration guidelines that can be consulted by Purdue University system administrators in the absence of specific, Purdue University guidelines. While there are a number of commercial or external benchmark tools and guidelines available to system administrators to provide best practice information for security configuration, ITaP Networks and Security recommends the use of benchmarks created by the Center for Internet Security.
The Center for Internet Security (CIS) helps organizations reduce risks incurred from the use of inadequate technical security controls. CIS distributes consensus best practice benchmarks for security configuration. These benchmarks are unique because they are created by consensus by hundreds of security professionals worldwide. The benchmarks are widely accepted by U.S. government agencies to meet regulatory requirements for FISMA compliance, and by auditors for compliance with the ISO standard as well as the Gramm-Leach Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), HIPAA, FERPA, and other information security regulatory requirements.
Purdue University is a member of the CIS, and as such has the right to distribute the benchmarks and tools for use within Purdue University. ITaP Networks and Security recommends the CIS benchmarks for consultation and use by Purdue University system administrators when no other specific Purdue University policy, standard, guideline, or procedure applies to the underlying system.
Any number of Purdue University employees may obtain a user account on the CIS Members Site. To register, go to http://members.cisecurity.org/ and click the "register" link. (this page is also accessible via link from the home page of the public web site http://www.cisecurity.org). Complete and submit the registration information. Within 24 hours you will receive an email indicating that your registration has been activated. Then you can enter the site using the username and password you selected.
All the CIS Benchmarks, and several software Scoring Tools that can be used to compare the configuration of Purdue systems to the benchmarks, are distributed from the CIS Public Web site at www.cisecurity.org. There is no need to register for access to that site. On the Members Web Site Purdue employees have access to CIS Scoring Tools with specialized features, including:
The CIS Members Web Site also contains various discussion forums and development versions of new Benchmarks and Scoring Tools. Please note that ITaP Networks and Security does not support the tools and benchmarks available from CIS.
Greg Hedrick, Manager of Security Services in ITaP Networks and Security, states that these benchmarks are unique in the depth and breadth of their coverage. Hedrick said, “While they may not be tailored specifically to Purdue, they can serve as guidelines for system administrators and a way to compare the system security configuration against a benchmark developed by technical folks from a number of industries and computing environments from other higher education institutions to private corporations.”
Addam Schroll, a Security Analyst in ITaP Networks and Security states that he is frequently asked to recommend best practices for system security settings and that these guidelines are geared toward system administrators and anyone who administers a machine. Schroll said, “Purdue policies and procedures override the benchmarks which only serve as a guideline for administrators and system owners. These guidelines can be used any time a system owner brings up a new system or changes the existing system configuration and needs a best practices guideline for a security configuration.”
To read more about the benchmarks, please visit: http://www.cisecurity.org/bench.html.